This invention relates to expressions based on features of users and user actions of an online system for performing dynamic updates to the behavior of the online system.
Online systems often get attacked by malicious users that cause harm to the online system or to the users of the online system. A malicious user can cause harm by gaining unauthorized access to user accounts, stealing information from the online system, sending unsolicited information to the users, and so on. For example, a malicious user may launch a phishing attack to gain access to a user's account. Once a user's account is compromised, the compromised account can be used to launch other attacks. Malicious users can send messages to users that cause malware to be installed on the user's device. Malware installed on a user's device can cause messages to be sent to other users that cause the malware to replicate itself.
There are other types of user actions that cause harm that may be less severe than the examples given above. Users may use the online system in ways that are discouraged by the online system. For example, an online system may recommend each user to have one user account. However, users may create multiple user accounts for various reasons, for example, to use each account for a particular purpose. These additional accounts created by a user may provide false information to the online system. For example, a social networking system may use the number of connections of a user as a metric to make certain decisions regarding the user, including the newsfeed sent to the user, direct advertisements to the user, and so on. Fake user accounts may increase the number of connections of the user thereby providing false information to the social networking system causing it to make incorrect decisions.
Online systems need to take actions to protect the online system itself and its users from these attacks. Online systems such as social networking systems store a social graph that describes how users are connected to each other. The social graph can be exploited by malicious users to rapidly propagate harm to the online system or the users of the online system. For example, users connected to each other via a social networking system trust each other and are more likely to respond to messages from a connection. Therefore, a user is more likely to interact with a malicious message received from a connection whose account has been compromised. A user's interaction with the malicious message can propagate the malicious message to other connections of the user. Any delay in responding to an attack on the social networking system can result in the harm being propagated rapidly to a very large number of users. Therefore, online systems, for example, social networking systems must respond to these attacks within a short period after the attack is launched in order to limit the damage caused by the attack. Furthermore, the attackers of a system may constantly change their strategies to avoid being identified. As a result, the online system must continuously adapt to changes of the attackers. Conventional techniques that respond to attacks after a significant delay can result in the harm being propagated to a large number of users.